LawFlash

DOJ Issues New Guidance on Corporate Compliance Programs

February 21, 2017

The DOJ Fraud Section’s “Evaluation of Corporate Compliance Programs” puts chief compliance officers on notice about how the adequacy of their companies’ compliance programs is evaluated by prosecutors.

On February 8, the Fraud Section of the US Department of Justice (DOJ) published a list of “important topics and sample questions” it uses when evaluating the effectiveness of corporate compliance programs—titled “Evaluation of Corporate Compliance Programs”[1] (Compliance Program Guidance).

Prosecution of Business Organizations and the “Filip Factors”

The DOJ’s corporate charging guidelines—the “Principles of Federal Prosecution of Business Organizations”[2]—outline the 10 factors that federal prosecutors should consider when assessing the resolution of cases involving corporate wrongdoing. These factors, commonly known as the “Filip Factors,” include “the existence and effectiveness of the corporation’s pre-existing compliance program” as well as the corporation’s remedial efforts “to implement an effective corporate compliance program or to improve an existing one.”

The Compliance Program Guidance is intended to provide the public with more transparency about federal prosecutors’ review of compliance programs under the Filip Factors. While the Compliance Program Guidance cautions that “each company’s risk profile and solutions to reduce its risks warrant particularized evaluation,” the document addresses a number of issues that apply to practically all compliance programs.

The Compliance Program Guidance draws from existing resources, including US Sentencing Guidelines as well as several Organizations for Economic Cooperation and Development publications.[3]

Key Areas of Focus

Policies and procedures are a foundational component of any corporate compliance program, and the Compliance Program Guidance devotes considerable attention to this topic. As a threshold matter, prosecutors consider the “design and accessibility” of policies and procedures—including whether they are tailored to a company’s risk profile, have been effectively implemented and communicated, and have been evaluated to ensure usefulness. Prosecutors also consider the “operational integration” of a company’s compliance policies and procedures—including the adequacy of payment systems and other controls that should have helped detect or prevent misconduct.

The Compliance Program Guidance also focuses on questions concerning the value assigned and resources devoted to compliance programs. For example, the guidance contains pointed questions like the following: “How has the compliance function compared with other strategic functions in the company in terms of stature, compensation levels, rank/title, reporting line, resources, and access to key decision-makers?”

Prosecutors look for signs of “autonomy,” such as whether compliance personnel have “direct reporting lines to anyone on the board of directors” and whether “relevant control personnel in the field have reporting lines to headquarters.” They also look for signs of “empowerment,” such as instances where “specific transactions or deals . . . were stopped, modified, or more closely examined as a result of compliance concerns.”

The DOJ has previously advised companies that their compliance programs “should be tailored to [their] specific needs, risks, and challenges,”[4] and the Compliance Program Guidance indicates that the DOJ looks for signs of risk awareness when assessing compliance initiatives. Considerations include the “methodology [that] the company used to identify, analyze, and address the particular risks it face[s],” the “information or metrics [that] the company collect[s] and use[s] to help detect” misconduct, and the scope of the company’s risk assessments.

Recent enforcement actions suggest that third parties continue to pose major risks for companies operating overseas, and the DOJ looks for evidence that such companies are proactively addressing third-party risks. Prosecutors want to know whether a company has a “third-party management process [that] correspond[s] to the nature and level of [its] enterprise risk[s]” and will consider whether the company (i) engages in third-party due diligence and monitoring, (ii) requires that its third parties enter into written contracts with “appropriate” payment terms, and (iii) addresses any red flags that arise during the course of the relationship.

Conclusion

While the Compliance Program Guidance is “required reading” for companies and their counsel when preparing compliance-related presentations or submissions to the DOJ, it is also a valuable resource for officers and directors who want to ensure that their compliance programs satisfy regulator expectations. The DOJ expects compliance programs to be both strong on paper and in practice,[5] and this 119-question resource offers critical intelligence for chief compliance officers looking for ways to weave compliance into the fabric of their organizations.

Contacts

If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers: